How to write trigger condition

Yogesh · March 29, 2019, 5:39am

I am writing trigger condition for user created and deleted within 10 mn. Below is condition , but it is giving
compile error

{“script”:{ “lang”: “painless”,
“source”: “def removes=ctx.payload.aggregations.event_id.buckets.remove.users.buckets.stream().map(p → p.key).collect(Collectors.toList()); return ctx.payload.aggregations.event_id.buckets.add.users.buckets.stream().map(p → p.key).filter(p → removes.contains(p)).toArray().length > 0;”
}}

dbbaughe · March 29, 2019, 11:22pm

Hi Yogesh,

Please refer to:
https://opendistro.github.io/for-elasticsearch-docs/docs/alerting/monitors/#extraction-query
The monitor query response should be accessed using ctx.results[0] instead of ctx.payload

Thanks,
Drew

asikarwar · September 13, 2019, 2:54pm

Hi,

I want to write a condition where it will check count for each host and not total

So instead of this
ctx.results[0].hits.total.value > 400
I need to access doc_count
something like the following:
ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400

But the above throw error:

    {
      "type" : "script_exception",
      "reason" : "runtime error",
      "script_stack" : [
        "ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
        "                                                 ^---- HERE"
      ],
      "script" : "ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
      "lang" : "painless",
      "caused_by" : {
        "type" : "illegal_argument_exception",
        "reason" : "Illegal list shortcut value [doc_count]."
      }
    }

Following is the response from extraction query which i am using for trigger action how can i access doc_count which i under buckets so it will only qualify

{
    "_shards": {
        "total": 198,
        "failed": 0,
        "successful": 198,
        "skipped": 52
    },
    "hits": {
        "hits": [],
        "total": {
            "value": 496,
            "relation": "eq"
        },
        "max_score": null
    },
    "took": 11,
    "timed_out": false,
    "aggregations": {
        "group_by_host": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
                {
                    "doc_count": 494,
                    "key": "Computer1"
                },
                {
                    "doc_count": 2,
                    "key": "Computer2"
                }
            ]
        },
        "event_count": {
            "value": 496
        } 
    }
}

cbanaszak · October 18, 2019, 3:33pm

I’ve run into this issue and im still working it but I know that because the buckets are in an array like the results you have to include that array in your source like the [0] here referencing the first item in the array. What I am trying to figure out is how to match that against all buckets.

ctx.results[0].aggregations.group_by_host.buckets[0].doc_count

lucaswin-amzn · October 29, 2019, 4:43pm

Hi @cbanaszak,

Am I understanding correctly that in your trigger condition you would like to loop over all values in ctx.results[0].aggregations.group_by_host.buckets? If so you can do this by using the .size() so something like:

for (int i = 0; i < ctx.results[0].aggregations.group_by_host.buckets.size(); i++) {
// bucket values can be accessed via: ctx.results[0].aggregations.group_by_host.buckets[i].doc_count
// for example.
}

bijeshr · December 8, 2020, 1:18am

buckets is an array, so something like this works:

ctx.results[0].aggregations.group_by_host.buckets[0].doc_count > 400

bilalcaliskan · March 25, 2022, 10:51am

i dont think that the real problem is solved here. problem is how to check if any buckets in the bucket list is triggers the condition. @lucaswin-amzn sadly your for loop does not work on Opendistro.

Creating a trigger based on the first bucket won’t be effective i think because i may have several buckets and maybe the last bucket exceeds the threshold.